Which version do I want?
- Existing projects pinned to a published release: stay on
0.3.0— tag0.3.0or branchv0.3.x. Bug fixes and security patches will be backported tov0.3.x.- New projects, or willing to migrate: track the development branch (this branch). It will become
1.0.0-alphaafter a polish pass and then1.0.0. New SoftSpoken butterfly kernel with rounds 0-2 fused into AES generation at k=8 (eight leaves' Davies-Meyer outputs folded through three halving levels in-register; cross-platform via emp-tool's AesLane abstraction over VAES-512 / VAES-256 / AES-NI / NEON), post-quantumPVWKyberbase OT, reorganized base OTs and extensions, the wire-equivalence framework from emp-tool 1.0 — but the API is not yet frozen and headers may move between alphas. Requires emp-tool ≥ 1.0.0-alpha.
State-of-the-art OT implementations on top of emp-tool:
four base OTs (CO, PVW, CSW, PVWKyber), IKNP and
SoftSpoken OT extensions (semi-honest + malicious), and Ferret silent
COT extension. All hash functions used for OT are instantiated with
MITCCRH
for optimal concrete security.
Heads up — AI-assisted drafts, not yet audited.
PVWKyberis not yet auditted.
- CMake ≥ 3.21
- A C++17 compiler (Clang ≥ 12, GCC ≥ 9, AppleClang 14+)
- emp-tool ≥ 1.0
- OpenSSL ≥ 3.0.
PVWKyber's SHAKE shim usesEVP_DigestSqueezeon ≥ 3.3 (one-shot squeeze) and falls back to a re-init / re-absorb loop on 3.0.x — same answers, slightly slower CRS expansion. No build-time configuration needed; the version is detected fromOPENSSL_VERSION_NUMBER. - pthreads
emp-ot builds a small static library (emp-ot::emp-ot) that bundles
the IKNP, SoftSpoken, and Ferret OT bodies; the rest of the surface
(base OTs, headers consumed inline) lives in headers.
emp-ot consumes emp-tool through its installed CMake package. Install emp-tool first, then build emp-ot the same way:
# emp-tool
git clone https://github.com/emp-toolkit/emp-tool.git
cmake -S emp-tool -B emp-tool/build -DCMAKE_BUILD_TYPE=Release
cmake --build emp-tool/build -j
cmake --install emp-tool/build # respects CMAKE_INSTALL_PREFIX
# emp-ot
git clone https://github.com/emp-toolkit/emp-ot.git
cmake -S emp-ot -B emp-ot/build -DCMAKE_BUILD_TYPE=Release
cmake --build emp-ot/build -j
cmake --install emp-ot/buildIf you don't want to install emp-tool, point emp-ot directly at its build tree:
cmake -S emp-ot -B emp-ot/build \
-DCMAKE_BUILD_TYPE=Release \
-Demp-tool_DIR=/abs/path/to/emp-tool/build| Option | Default | Effect |
|---|---|---|
EMP_OT_BUILD_TESTS |
ON when top-level |
Build the test suite under test/. |
EMP_OT_INSTALL |
ON when top-level |
Generate install + export rules. |
find_package(emp-ot CONFIG REQUIRED)
target_link_libraries(my-app PRIVATE emp-ot::emp-ot)emp-ot::emp-ot is an INTERFACE target that pulls in emp-tool::emp-tool
transitively, so consumers don't need to find emp-tool separately.
cmake -S . -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build -j
ctest --test-dir build --output-on-failureThe two-party benches (bench_iknp_rcot, bench_softspoken_rcot,
bench_ferret_rcot, bench_ot_extension, bench_base_ot,
trace_equiv) launch ALICE/BOB on localhost via the run script.
bench_lpn and bench_cggm are single-process
benchmarks of internal kernels.
test/trace_hash.cpp runs every protocol in the repo under a fresh
NetIO with Fiat-Shamir enabled and prints one SHA-256 digest per
direction per protocol. Refactors that leave the wire bytes
untouched leave the hashes untouched; refactors that do change the
wire are visible as a single-line diff. See
docs/wire-trace-hashes.md for the
full workflow.
$ EMP_TEST_MODE=1 ./run ./build/trace_hash | grep '^[A-Za-z(]'
Current baseline (ALICE's view; first 16 hex of each direction's SHA-256). A change to any of these hashes means the corresponding protocol's wire format changed — fine if intentional, but flag it clearly in the commit message and update this table.
CO send=cb1241385e1fa266 recv=1527f501eb006b21
CSW send=802e9b74d81f63a8 recv=634c8c41847634f2
PVW send=06ff8f3498188271 recv=73bc62e4d02ea245
PVWKyber send=1708ae2aabef619e recv=d8195b395536297d
IKNP semi send=dd62b5bfb8bd58b3 recv=864359025637ab39
SoftSpoken<2> semi send=0e7edf2b638a30db recv=3dafa542197102c0
SoftSpoken<8> semi send=784c7d47a9f146a2 recv=13c3d9136aaa1698
Ferret(b11) semi send=42e75ecf31cec7e7 recv=04549cff31949b6c
F2kVOLE semi send=784ac978756e932c recv=5cf72d6ec0c8248c
FpVOLE semi send=320ae55724cc85bb recv=04358d21086fbdeb
IKNP mali send=bc4e21045185ec28 recv=400bfc6cfc0b8ce5
SoftSpoken<2> mali send=9e9d7a0ff4815691 recv=be74fc600d3ee7b7
SoftSpoken<8> mali send=74a54a2eb2f0fcdd recv=381ad0d603383439
Ferret(b11) mali send=14349b47d4840654 recv=95a3fc38a39e43a7
F2kVOLE mali send=dc93e25b4b3b0d56 recv=932f73c273156a16
FpVOLE mali send=687cf07828fd876b recv=a3392c323c9e5871
#include <emp-tool/emp-tool.h> // NetIO etc.
#include <emp-ot/emp-ot.h> // OTs
using namespace emp;
NetIO io(party == ALICE ? nullptr : "127.0.0.1", port);All OTs in emp-ot derive from a four-layer hierarchy in
emp-ot/ot.h and
emp-ot/ot_extension/ot_extension.h.
Each layer adds methods on top of the previous one; you can always
call a lower-level method on a higher-level object.
| Interface | New methods | Semantics added |
|---|---|---|
OT |
send(m0, m1, n) / recv(mc, c, n) |
chosen-input 1-out-of-2: sender supplies both messages, receiver picks one |
COT : OT |
send_cot(m0, n) / recv_cot(mc, c, n); free send_rot/recv_rot |
chosen-correlation: sender's two messages always differ by a public Delta |
RandomCOT : COT |
rcot(data, n) (role implicit in instance party) |
random correlation: no choice-bit input; receiver's choice ends up in getLSB(data[i]), and Delta's LSB is forced to 1 so the correlation survives that one bit |
OTExtension : RandomCOT |
set_delta(const bool* delta_bool) (sender-only Δ override), chunk_size(), begin/next/end, next_n(data, n), run(data, num) |
streaming RCOT (one fixed-size chunk per next); base-OT bootstrap fires lazily on the first begin |
Concrete classes attach as follows:
- Base OTs (
OTonly):CO,PVW,CSW,PVWKyber. - OT extensions (
OTExtension, so all of the above):IKNP,SoftSpoken<k>,Ferret.
The chosen-input / chosen-correlation / random conversions are implemented once in the base classes (one MITCCRH pass per OT for the chosen-message wrapper, one bit per OT for the random → chosen correction), so picking a backend never forces you to also pick a flavor.
The four base OTs (CO, PVW, CSW, PVWKyber) implement
only the OT interface — chosen-input 1-out-of-2.
block m0[length], m1[length]; // sender's two messages
block mc[length]; // receiver's chosen message
bool c [length]; // receiver's choice bits
PVW ot(&io);
if (party == ALICE) ot.send(m0, m1, length);
else ot.recv(mc, c, length); // mc[i] = m_{c[i]}All four implement the same OT interface. CO is semi-honest;
CSW, PVW, PVWKyber are malicious-secure.
IKNP, SoftSpoken<k>, and Ferret all derive from
RandomCOT, take the same constructor shape, and the same object
exposes all four flavors:
IKNP ote(party, &io);
// SoftSpoken<2> ote(party, &io); Ferret ote(party, &io); ... all the same below.
block buf[length];
// rcot() is single-method and role-implicit — the instance's party
// determines whether it acts as sender or receiver internally.
// Each side fills its own `buf`; sender's buf[i] ^ receiver's buf[i] = c[i] · Δ.
ote.rcot(buf, length);
// COT / ROT / OT flavors are role-explicit (different signatures by side):
if (party == ALICE) {
ote.send_cot(m0, length); // COT: fills m0; m1[i] = m0[i]^Δ
ote.send_rot(m0, m1, length); // ROT: fills m0, m1 (random)
ote.send(m0, m1, length); // OT: sends caller-chosen m0, m1
} else {
ote.recv_cot(mc, c, length); // COT: mc[i] = m0[i] ^ c[i]*Δ
ote.recv_rot(mc, c, length); // ROT: mc[i] = c[i] ? m1[i] : m0[i]
ote.recv(mc, c, length); // OT: mc[i] = c[i] ? m1[i] : m0[i]
}The constructor allocates per-instance state and (on the sender side)
samples a random Δ with LSB(Δ) = 1 pinned. No network I/O runs in
the ctor. The base-OT bootstrap runs on the first begin() (or the
first rcot() one-shot call, which delegates to run() → begin()
internally).
Δ is readable as ote.Delta immediately after construction. The
receiver has no Δ. To override the ctor-sampled Δ (e.g. when an
outer protocol like
emp-zk or
emp-sh2pc supplies its
own correlation), call set_delta before the first rcot() call:
IKNP ote(party, &io);
if (party == ALICE) {
bool delta_bool[128]; /* fill from outer protocol; delta_bool[0] = true */
ote.set_delta(delta_bool);
}
// ote.rcot(buf, length); // bootstrap fires here, on first streaming beginset_delta must fire before the first rcot/begin/run call (asserts
otherwise).
Each extension can be parameterized to bootstrap from a non-default
base OT (default is PVW); pair an extension's malicious mode with
a malicious-secure base — IKNP / SoftSpoken / Ferret check
this at construction time and abort otherwise.
IKNP ote1(party, &io, /*malicious=*/true,
std::make_unique<CSW>(&io));
SoftSpoken<4> ote2(party, &io, /*malicious=*/true,
std::make_unique<CSW>(&io)); // k=4
Ferret ote3(party, &io, /*malicious=*/true,
ferret_b13,
std::make_unique<CSW>(&io));The OTExtension base also exposes a streaming API for callers that
want to overlap RCOT production with downstream work (one fixed
chunk_size()-sized batch per next() call, no internal buffering):
const int64_t chunk = ote.chunk_size();
BlockVec buf(chunk);
ote.begin();
for (int i = 0; i < n_chunks; ++i) {
ote.next(buf.data());
consume_chunk(buf.data(), chunk); // role implicit in party
}
ote.end();The one-shot rcot(data, num) is implemented in terms of this
streaming API plus a small leftover buffer for tails that aren't a
multiple of chunk_size().
For callers that consume the stream incrementally — even one COT at
a time — draw from a single long-lived session with next_n(dst, n)
instead of calling rcot repeatedly:
ote.begin(); // open one session (e.g. in your ctor)
ote.next_n(&one, 1); // draw any count; refills a chunk internally
ote.next_n(batch.data(), k); // …amortizes the per-round end-work
ote.end(); // close it (e.g. in your dtor)This matters because rcot(data, num) opens and closes a session per
call, so the per-round end-work (refill trees + the malicious chi-fold
check) is paid every chunk_size() COTs. next_n keeps one session
open, amortizing that over the whole stream — e.g. emp-zk's per-AND-gate
COT draw is ~20× faster this way than calling rcot(_, 1) in a loop.
next_n is mutually exclusive with run()/rcot() on the same
instance (both touch the same leftover buffer).
AWS c8a.2xlarge (AMD EPYC 9R45, Zen 5, 8 vCPU), Ubuntu 22.04, GCC
11.4, OpenSSL 3.0.2, -march=native.
One batch of 128 base OTs.
| Protocol | Time | Send B | Recv B | Security |
|---|---|---|---|---|
CO |
6.2 ms | 4,165 | 8,832 | semi-honest |
CSW |
9.3 ms | 6,229 | 8,864 | malicious-secure (CDH + RO) |
PVW |
40 ms | 39,424 | 17,664 | malicious-secure (DDH messy mode) |
PVWKyber |
7.3 ms | 200,704 | 98,304 | malicious-secure, post-quantum (ML-KEM-512) |
Length 2²⁵ OTs (~33M). Both MOT/s (million RCOTs per second; median
of 5 runs, slower of the two parties per run) and bits/RCOT (total
wire bytes, both directions) include the one-time base-OT bootstrap
amortised over the bench length.
| Protocol | Mode | bits/RCOT | MOT/s |
|---|---|---|---|
IKNP |
semi | 127 | 227 |
IKNP |
malicious | 127 | 85 |
SoftSpoken<2> |
semi | 63 | 136 |
SoftSpoken<2> |
malicious | 63 | 125 |
SoftSpoken<4> |
semi | 31 | 146 |
SoftSpoken<4> |
malicious | 31 | 135 |
SoftSpoken<8> |
semi | 15 | 57 |
SoftSpoken<8> |
malicious | 15 | 55 |
Ferret |
semi | 0.27 | 83 |
Ferret |
malicious | 0.27 | 78 |
IKNP and SoftSpoken<k> traffic is one-direction: 127 bits/RCOT
for IKNP, 128/k − 1 bits/RCOT for SoftSpoken<k>. Ferret's
0.27 bits/RCOT at 2²⁵ is ~0.20 bits/RCOT of steady-state per-round
MPCOT/LPN traffic plus ~0.07 bits/RCOT of one-time bootstrap; the
bootstrap fraction shrinks linearly with bench length.
COT, ROT, OT flavors layer one MITCCRH pass (and, for
chosen-input OT, one block per OT on the wire) on top of RCOT.
Licensed under the Apache License, Version 2.0 — see LICENSE.